fix(demo): route Dockhand through socket proxy, add resource limits

- Route Dockhand Docker access through docker-socket-proxy via DOCKER_HOST=tcp://docker-socket-proxy:2375 instead of direct socket mount, enforcing the security model documented in AGENTS.md - Add POST, DELETE, ALLOW_START, ALLOW_STOP, ALLOW_RESTARTS permissions to socket proxy for Dockhand container management - Add deploy.resources.limits.memory to all 16 services (128M-1024M depending on service needs) - Add MailHog SMTP port 4019 mapping (1025 internal) so applications can actually send test emails to MailHog - Remove stale config/portainer/ directory 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-01 09:41:08 -05:00
parent 904fc6d727
commit 265d146bd3
2 changed files with 79 additions and 1 deletions
--- a/demo/docker-compose.yml.template
+++ b/demo/docker-compose.yml.template
@@ -66,6 +66,15 @@ services:
      - SECRETS=${DOCKER_SOCKET_PROXY_SECRETS}
      - CONFIGS=${DOCKER_SOCKET_PROXY_CONFIGS}
      - PLUGINS=${DOCKER_SOCKET_PROXY_PLUGINS}
+      - POST=1
+      - DELETE=1
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+    deploy:
+      resources:
+        limits:
+          memory: 128M
    labels:
      homepage.group: "Infrastructure"
      homepage.name: "Docker Socket Proxy"
@@ -93,6 +102,10 @@ services:
      homepage.icon: "homepage"
      homepage.href: "http://localhost:${HOMEPAGE_PORT}"
      homepage.description: "Central dashboard for service discovery"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
             "http://localhost:3000"]
@@ -123,6 +136,10 @@ services:
      homepage.icon: "pihole"
      homepage.href: "http://localhost:${PIHOLE_PORT}"
      homepage.description: "DNS management with ad blocking"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
             "http://localhost/admin"]
@@ -141,16 +158,23 @@ services:
      - "${DOCKHAND_PORT}:3000"
    volumes:
      - ${COMPOSE_PROJECT_NAME}_dockhand_data:/app/data
-      - /var/run/docker.sock:/var/run/docker.sock
    environment:
+      - DOCKER_HOST=tcp://docker-socket-proxy:2375
      - PUID=${DEMO_UID}
      - PGID=${DEMO_GID}
+    depends_on:
+      docker-socket-proxy:
+        condition: service_started
    labels:
      homepage.group: "Infrastructure"
      homepage.name: "Dockhand"
      homepage.icon: "dockhand"
      homepage.href: "http://localhost:${DOCKHAND_PORT}"
      homepage.description: "Modern Docker management UI"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "curl", "-f", "--silent",
             "http://localhost:3000"]
@@ -184,6 +208,10 @@ services:
      homepage.icon: "influxdb"
      homepage.href: "http://localhost:${INFLUXDB_PORT}"
      homepage.description: "Time series database for metrics"
+    deploy:
+      resources:
+        limits:
+          memory: 512M
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
             "http://localhost:8086/ping"]
@@ -216,6 +244,10 @@ services:
      homepage.icon: "grafana"
      homepage.href: "http://localhost:${GRAFANA_PORT}"
      homepage.description: "Analytics and visualization platform"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
             "http://localhost:3000/api/health"]
@@ -243,6 +275,10 @@ services:
      homepage.icon: "drawio"
      homepage.href: "http://localhost:${DRAWIO_PORT}"
      homepage.description: "Web-based diagramming application"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "curl", "-f", "--silent",
             "http://localhost:8080"]
@@ -271,6 +307,10 @@ services:
      homepage.icon: "kroki"
      homepage.href: "http://localhost:${KROKI_PORT}"
      homepage.description: "Diagrams as a service"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "curl", "-f", "--silent",
             "http://localhost:8000/health"]
@@ -299,6 +339,14 @@ services:
      homepage.icon: "atomic-tracker"
      homepage.href: "http://localhost:${ATOMIC_TRACKER_PORT}"
      homepage.description: "Habit tracking and personal dashboard"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
             "http://localhost:8080"]
@@ -333,6 +381,10 @@ services:
      homepage.icon: "archivebox"
      homepage.href: "http://localhost:${ARCHIVEBOX_PORT}"
      homepage.description: "Web archiving solution"
+    deploy:
+      resources:
+        limits:
+          memory: 512M
    healthcheck:
      test: ["CMD", "curl", "-fsS",
             "http://localhost:8000/health/"]
@@ -350,6 +402,10 @@ services:
      - ${COMPOSE_NETWORK_NAME}
    volumes:
      - ${COMPOSE_PROJECT_NAME}_ta_redis_data:/data
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: ${HEALTH_CHECK_INTERVAL}
@@ -376,6 +432,10 @@ services:
      memlock:
        soft: -1
        hard: -1
+    deploy:
+      resources:
+        limits:
+          memory: 1024M
    healthcheck:
      test: ["CMD-SHELL", "curl -sf http://localhost:9200/_cluster/health || exit 1"]
      interval: ${HEALTH_CHECK_INTERVAL}
@@ -415,6 +475,10 @@ services:
      homepage.icon: "tube-archivist"
      homepage.href: "http://localhost:${TUBE_ARCHIVIST_PORT}"
      homepage.description: "YouTube video archiving"
+    deploy:
+      resources:
+        limits:
+          memory: 512M
    healthcheck:
      test: ["CMD", "curl", "-f", "--silent",
             "http://localhost:8000/api/health/"]
@@ -444,6 +508,10 @@ services:
      homepage.icon: "wakapi"
      homepage.href: "http://localhost:${WAKAPI_PORT}"
      homepage.description: "Open-source WakaTime alternative"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "/app/healthcheck"]
      interval: ${HEALTH_CHECK_INTERVAL}
@@ -459,6 +527,7 @@ services:
      - ${COMPOSE_NETWORK_NAME}
    ports:
      - "${MAILHOG_PORT}:8025"
+      - "${MAILHOG_SMTP_PORT}:1025"
    volumes:
      - ${COMPOSE_PROJECT_NAME}_mailhog_data:/maildir
    environment:
@@ -470,6 +539,10 @@ services:
      homepage.icon: "mailhog"
      homepage.href: "http://localhost:${MAILHOG_PORT}"
      homepage.description: "Web and API based SMTP testing"
+    deploy:
+      resources:
+        limits:
+          memory: 128M
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider",
             "http://localhost:8025"]
@@ -503,6 +576,10 @@ services:
      homepage.icon: "atuin"
      homepage.href: "http://localhost:${ATUIN_PORT}"
      homepage.description: "Magical shell history synchronization"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
    healthcheck:
      test: ["CMD", "bash", "-c", "echo > /dev/tcp/localhost/8888"]
      interval: ${HEALTH_CHECK_INTERVAL}